Cyber Incident Victim: Free SAS

Free, France's second-largest telecommunications operator, confirmed on October 26, 2024, that it had suffered a cyberattack targeting a management tool within its systems. This breach resulted in unauthorized access to a subset of personal data associated with certain subscriber accounts. The company issued a public statement via Agence France-Presse clarifying the scope of compromised information, explicitly stating that no passwords, banking card details, or communication contents—including emails, SMS messages, or voicemails—were exposed during the incident. Neither the precise date of the attack nor the full extent of impacted accounts was disclosed publicly. Free emphasized that its operational services remained unaffected throughout the event, with no disruption to customer-facing activities detected.

The operator initiated multiple response protocols following the breach discovery. Free filed a formal criminal complaint with the Paris prosecutor's office and notified France's National Commission on Informatics and Liberty (CNIL) and National Agency for the Security of Information Systems (ANSSI) in compliance with national data protection regulations. Affected subscribers received or were scheduled to receive individual email notifications detailing the incident. Company representatives asserted all necessary measures had been implemented immediately to terminate the attack's progression and enhance the security posture of their information systems. This incident occurred approximately five weeks after competitor SFR disclosed a separate data leak involving customer banking information, though no operational or tactical connections between the two events were established in available reporting.